amjadmapari
asked on
Error while requesting RDP-SSL certificate
Hello,
I have a CA server in my environment which is working perfectly fine while giving certificates to our 2000+ servers. But this one issue facing server which is reformated from windows 2003 to 2008 gets a error while i go to mmc and add the snap in of computer certificates. In personal when i request for certificate it gives as status:unavailable with a cross mark and error statements as "the permissions on this certification authority do not allow the current user to enroll for this type of certificate". While all permissions are in place and the certificate is working fine at other servers where imported.
Issue is only with one server which i stated above.. Early help appreciated please.
I have a CA server in my environment which is working perfectly fine while giving certificates to our 2000+ servers. But this one issue facing server which is reformated from windows 2003 to 2008 gets a error while i go to mmc and add the snap in of computer certificates. In personal when i request for certificate it gives as status:unavailable with a cross mark and error statements as "the permissions on this certification authority do not allow the current user to enroll for this type of certificate". While all permissions are in place and the certificate is working fine at other servers where imported.
Issue is only with one server which i stated above.. Early help appreciated please.
ASKER
For this RDP-SSL certificate template it is allowed to authenticated users for read and enroll.
Correct me if i am wrong, isnt it you are requesting a certificate for the local machine in which the server authenticates against the CA as domain\servername$ ?
ASKER
For the servers deployed in our environment we request a certificate from a subca server hosted in our environment for rdp-ssl properties as seen in screenshot.
While requesting for certificate through mmc in personal store of computer certificat we get error as "the permissions on this certification authority do not allow the current user to enroll for this type of certificate".
But the certificate is given read and enroll pernmissions for authenticated users and we facing this issue on only this one server.
While requesting for certificate through mmc in personal store of computer certificat we get error as "the permissions on this certification authority do not allow the current user to enroll for this type of certificate".
But the certificate is given read and enroll pernmissions for authenticated users and we facing this issue on only this one server.
ASKER
Also please find the print screen of error i am facing.
Steps to fix this are:
Logon to the CA server handing out this certificate
Start server manager -> open AD certificate services en click the + sign for CA server.
Rightclick on Certificate Templates en select Manage.
Right click the desired certificate and select 'duplicate template'.
On general give template a name and validity period and publish to AD.
Next in security select object types->Computers
Select de server, give it enroll read and write rights and select OK.
Allow DC's to replicate and reask the certifiate. This should do the trick.
Logon to the CA server handing out this certificate
Start server manager -> open AD certificate services en click the + sign for CA server.
Rightclick on Certificate Templates en select Manage.
Right click the desired certificate and select 'duplicate template'.
On general give template a name and validity period and publish to AD.
Next in security select object types->Computers
Select de server, give it enroll read and write rights and select OK.
Allow DC's to replicate and reask the certifiate. This should do the trick.
ASKER
Thanks but when i try to request same certificate from different server in domain it shows up properly.
PFA snap.
PFA snap.
More reasons to believe the server account is not allowed isnt it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok
In your CA, did you allow this server?